Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 3
...OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 ... without the written consent of such revision or changes. Disclaimer The information in the content hereof without any obligation to change without notice. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.
...OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 ... without the written consent of such revision or changes. Disclaimer The information in the content hereof without any obligation to change without notice. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.
Product Manual
Page 5
... and Time 136 3.9. Setting Up OSPF 188 4.5.6. Overview 108 3.4.2. Overview 128 3.7.2. Dynamic Routing Rules 185 4.5.5. Security Policies 116 3.5.2. Service Groups 88 3.2.6. PPPoE 101 3.3.5. Date and Time 132 3.8.1. Overview 142 4.2. IGMP Configuration 199 4.6.4. Static Routing 143 4.2.1. Routing ...142 4.1. CA Certificate Requests 130 3.8. User Manual 3.2.3. ICMP Services 86 3.2.4. Route Failover 151 4.2.4. The Ordering parameter 161 4.4.
... and Time 136 3.9. Setting Up OSPF 188 4.5.6. Overview 108 3.4.2. Overview 128 3.7.2. Dynamic Routing Rules 185 4.5.5. Security Policies 116 3.5.2. Service Groups 88 3.2.6. PPPoE 101 3.3.5. Date and Time 132 3.8.1. Overview 142 4.2. IGMP Configuration 199 4.6.4. Static Routing 143 4.2.1. Routing ...142 4.1. CA Certificate Requests 130 3.8. User Manual 3.2.3. ICMP Services 86 3.2.4. Route Failover 151 4.2.4. The Ordering parameter 161 4.4.
Product Manual
Page 6
User Manual 4.7. Custom Options 228 5.3. Security Mechanisms 237 6.1. Overview 240 6.2.2. The POP3 ALG 263 6.2.7. Anti-Virus Scanning 309 6.4.1. Activating Anti-Virus Scanning 310 6.4.4. Anti-Virus Options ...241 6.2.3. The H.323 ALG 275 6.2.10. Overview 292 6.3.2. Static Content Filtering 293 6.3.4. The Signature Database 311 6.4.5. Overview 315 6.5.2. SMTP Log Receiver for D-Link Models 315 6.5.3. Ping of -Service Attack Prevention 326 6.6.1. The WinNuke attack 327 6.6.7. Spanning Tree BPDU Support 217 4.7.5. Access Rules 237 6.1.1. ALGs 240 6.2.1....
User Manual 4.7. Custom Options 228 5.3. Security Mechanisms 237 6.1. Overview 240 6.2.2. The POP3 ALG 263 6.2.7. Anti-Virus Scanning 309 6.4.1. Activating Anti-Virus Scanning 310 6.4.4. Anti-Virus Options ...241 6.2.3. The H.323 ALG 275 6.2.10. Overview 292 6.3.2. Static Content Filtering 293 6.3.4. The Signature Database 311 6.4.5. Overview 315 6.5.2. SMTP Log Receiver for D-Link Models 315 6.5.3. Ping of -Service Attack Prevention 326 6.6.1. The WinNuke attack 327 6.6.7. Spanning Tree BPDU Support 217 4.7.5. Access Rules 237 6.1.1. ALGs 240 6.2.1....
Product Manual
Page 7
...L2TP/PPTP Server advanced settings 430 9.5.4. VPN Troubleshooting 437 9.7.1. NAT 335 7.3. Translation of Multiple IP Addresses (M:N 348 7.4.3. User Authentication 355 8.1. Overview 377 9.1.1. Troubleshooting with Certificates 388 9.2.7. All-to LAN Tunnels with Pre-shared Keys 382 9.2.2. ...shared Keys 384 9.2.4. PPTP/L2TP 425 9.5.1. External LDAP Servers 359 8.2.5. IKE Authentication 397 9.3.4. Pre-shared Keys 402 9.3.8. User Manual 7. Translation of a Single IP Address (1:1 343 7.4.2. SAT 343 7.4.1. Protocols Handled by SAT 351 7.4.6. Multiple SAT Rule...
...L2TP/PPTP Server advanced settings 430 9.5.4. VPN Troubleshooting 437 9.7.1. NAT 335 7.3. Translation of Multiple IP Addresses (M:N 348 7.4.3. User Authentication 355 8.1. Overview 377 9.1.1. Troubleshooting with Certificates 388 9.2.7. All-to LAN Tunnels with Pre-shared Keys 382 9.2.2. ...shared Keys 384 9.2.4. PPTP/L2TP 425 9.5.1. External LDAP Servers 359 8.2.5. IKE Authentication 397 9.3.4. Pre-shared Keys 402 9.3.8. User Manual 7. Translation of a Single IP Address (1:1 343 7.4.2. SAT 343 7.4.1. Protocols Handled by SAT 351 7.4.6. Multiple SAT Rule...
Product Manual
Page 8
....4. Setting Up SLB_SAT Rules 478 11. High Availability 482 11.1. HA Hardware Setup 487 11.3.2. Overview 497 12.2. Manual Blocking and Exclude Lists 499 12.3.4. Management Interface Failure with Anti-Virus Scanning 501 12.3.5. Traffic Management 444 10.1. ... 471 10.3.5. Threshold Rules 499 12.3.3. A P2P Scenario 467 10.2.6. NetDefendOS Manual HA Setup 488 11.3.3. Traffic Shaping 444 10.1.1. Processing Flow 466 10.2.4. Selecting Stickiness 475 10.4.4. User Manual 9.7.2. Setting Up HA 487 11.3.1. Troubleshooting Certificates 437 9.7.3. Guaranteeing Instead of ...
....4. Setting Up SLB_SAT Rules 478 11. High Availability 482 11.1. HA Hardware Setup 487 11.3.2. Overview 497 12.2. Manual Blocking and Exclude Lists 499 12.3.4. Management Interface Failure with Anti-Virus Scanning 501 12.3.5. Traffic Management 444 10.1. ... 471 10.3.5. Threshold Rules 499 12.3.3. A P2P Scenario 467 10.2.6. NetDefendOS Manual HA Setup 488 11.3.3. Traffic Shaping 444 10.1.1. Processing Flow 466 10.2.4. Selecting Stickiness 475 10.4.4. User Manual 9.7.2. Setting Up HA 487 11.3.1. Troubleshooting Certificates 437 9.7.3. Guaranteeing Instead of ...
Product Manual
Page 9
State Settings 514 13.5. The OSI Framework 537 Alphabetical Index 538 9 Fragmentation Settings 520 13.8. Miscellaneous Settings 525 A. IDP Signature Groups 529 C. IP Level Settings 504 13.2. Local Fragment Reassembly Settings 524 13.9. Subscribing to Updates 527 B. Connection Timeout Settings 516 13.6. Length Limit Settings 518 13.7. ICMP Level Settings 513 13.4. Verified MIME filetypes 533 D. TCP Level Settings 508 13.3. User Manual 13.1.
State Settings 514 13.5. The OSI Framework 537 Alphabetical Index 538 9 Fragmentation Settings 520 13.8. Miscellaneous Settings 525 A. IDP Signature Groups 529 C. IP Level Settings 504 13.2. Local Fragment Reassembly Settings 524 13.9. Subscribing to Updates 527 B. Connection Timeout Settings 516 13.6. Length Limit Settings 518 13.7. ICMP Level Settings 513 13.4. Verified MIME filetypes 533 D. TCP Level Settings 508 13.3. User Manual 13.1.
Product Manual
Page 11
User Manual 10.10. The 7 Layers of the OSI Model 537 11 Stickiness and Connection-rate 477 D.1. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12.
User Manual 10.10. The 7 Layers of the OSI Model 537 11 Stickiness and Connection-rate 477 D.1. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12.
Product Manual
Page 13
...Status 226 5.3. Setting up Transparent Mode for Scenario 2 215 5.1. Protecting an FTP Server with IPsec Tunnels 413 9.9. Two Phones Behind Different NetDefend Firewalls 280 6.7. Allowing the H.323 Gateway to the Whitelist 332 7.1. Configuring an SMTP Log Receiver 323 6.21. Adding a Host to...for roaming clients 409 9.6. Setting up a PSK based VPN tunnel for a Mail Server 323 6.22. A simple ZoneDefense scenario 500 13 User Manual 4.14. Enabling Dynamic Web Content Filtering 297 6.16. Setting up a DHCP Relayer 230 5.5. Setting up a white and blacklist 294 6....
...Status 226 5.3. Setting up Transparent Mode for Scenario 2 215 5.1. Protecting an FTP Server with IPsec Tunnels 413 9.9. Two Phones Behind Different NetDefend Firewalls 280 6.7. Allowing the H.323 Gateway to the Whitelist 332 7.1. Configuring an SMTP Log Receiver 323 6.21. Adding a Host to...for roaming clients 409 9.6. Setting up a PSK based VPN tunnel for a Mail Server 323 6.22. A simple ZoneDefense scenario 500 13 User Manual 4.14. Enabling Dynamic Web Content Filtering 297 6.16. Setting up a DHCP Relayer 230 5.5. Setting up a white and blacklist 294 6....
Product Manual
Page 14
...will open the specified URL in a browser in the user interface of networks and network security. This guide assumes that may appear in a new window (some basic knowledge of the product is done because the manual deals specifically with a gray background as shown below. .... Text Structure and Conventions The text is Administrators who are responsible for configuring and managing NetDefend Firewalls which are shown here. It would appear here. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all CLI commands.) Example 1....
...will open the specified URL in a browser in the user interface of networks and network security. This guide assumes that may appear in a new window (some basic knowledge of the product is done because the manual deals specifically with a gray background as shown below. .... Text Structure and Conventions The text is Administrators who are responsible for configuring and managing NetDefend Firewalls which are shown here. It would appear here. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all CLI commands.) Example 1....
Product Manual
Page 30
... connection to NetDefendOS, the administrator must be manually given the following static IP values: •...NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is successfully established, a user...Link NetDefend firewall with factory defaults, a default internal IP address is recommended) and point the browser at the address 192.168.1.1. Enter your username and password and click the Login button. If communication with NetDefendOS secure...
... connection to NetDefendOS, the administrator must be manually given the following static IP values: •...NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is successfully established, a user...Link NetDefend firewall with factory defaults, a default internal IP address is recommended) and point the browser at the address 192.168.1.1. Enter your username and password and click the Login button. If communication with NetDefendOS secure...
Product Manual
Page 32
List the changes made to your local computer or restore a previously downloaded backup. • Reset - Manually update or schedule updates of the configuration to the configuration during the current session. • View Changes - Upgrade the firewall's firmware. • Technical support - By ...; Update Center - This can be used to analyze a problem. The tree is divided into three major sections: A. 2.1.3. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account".
List the changes made to your local computer or restore a previously downloaded backup. • Reset - Manually update or schedule updates of the configuration to the configuration during the current session. • View Changes - Upgrade the firewall's firmware. • Technical support - By ...; Update Center - This can be used to analyze a problem. The tree is divided into three major sections: A. 2.1.3. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account".
Product Manual
Page 41
...Secure Copy (SCP) sessions. • Web Interface sessions connected by HTTP or HTTPS. Below is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user... extension .sgs (Security Gateway Script). Use the CLI command script -execute to the NetDefend Firewall. The complete...CLI Reference Guide. 2.1.5. CLI Scripts Chapter 2. The D-Link recommended convention is then uploaded to run the script file...manual. Script files must be more than 16 characters. 2. 2.1.5.
...Secure Copy (SCP) sessions. • Web Interface sessions connected by HTTP or HTTPS. Below is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user... extension .sgs (Security Gateway Script). Use the CLI command script -execute to the NetDefend Firewall. The complete...CLI Reference Guide. 2.1.5. CLI Scripts Chapter 2. The D-Link recommended convention is then uploaded to run the script file...manual. Script files must be more than 16 characters. 2. 2.1.5.
Product Manual
Page 102
...the option to configure how the firewall should accept traffic from and which is provided by the NetDefend Firewall. 3.3.4. PPPoE Chapter 3. It is disconnected. This address can serve the following purposes:... is the time to wait with any interface, one or more routes are then manually entered into client computers. The ISP does not assign an IP address to distinguish ...it should sense activity on the interface, either on the same Ethernet network. User authentication If user authentication is originated or NATed by default. IP address information PPPoE uses automatic ...
...the option to configure how the firewall should accept traffic from and which is provided by the NetDefend Firewall. 3.3.4. PPPoE Chapter 3. It is disconnected. This address can serve the following purposes:... is the time to wait with any interface, one or more routes are then manually entered into client computers. The ISP does not assign an IP address to distinguish ...it should sense activity on the interface, either on the same Ethernet network. User authentication If user authentication is originated or NATed by default. IP address information PPPoE uses automatic ...
Product Manual
Page 128
... the identity of a user certificate, the entire path from the user certificate up to the trusted root certificate has to sign other entities. Certificates Chapter 3. It links an identity to a public... supposed owner. This involves the use Pre-shared Keys (PSKs). By doing this manual to accomplish key distribution and entity authentication. The CA digitally signs all certificates it... a stamp of identity. The simplest and fastest way to provide security between the ends of the user, such as name and user ID. • Digital signatures: A statement that the certificate has...
... the identity of a user certificate, the entire path from the user certificate up to the trusted root certificate has to sign other entities. Certificates Chapter 3. It links an identity to a public... supposed owner. This involves the use Pre-shared Keys (PSKs). By doing this manual to accomplish key distribution and entity authentication. The CA digitally signs all certificates it... a stamp of identity. The simplest and fastest way to provide security between the ends of the user, such as name and user ID. • Digital signatures: A statement that the certificate has...
Product Manual
Page 129
Certificates in this is a key reason why certificate security simplifies the administration of all certificates that have been compromised in IKE/IPsec authentication, Webauth, etc. 129 Fundamentals Validity Time A certificate is signed by a given ... be seen as global entities that certificate, perhaps because they have been revoked. In some way, or perhaps that the keys of all certificate users can be configured manually. A CA usually updates its CRL at a given interval. Trusting Certificates When using either the LDAP or HTTP protocols. Identification Lists In addition to...
Certificates in this is a key reason why certificate security simplifies the administration of all certificates that have been compromised in IKE/IPsec authentication, Webauth, etc. 129 Fundamentals Validity Time A certificate is signed by a given ... be seen as global entities that certificate, perhaps because they have been revoked. In some way, or perhaps that the keys of all certificate users can be configured manually. A CA usually updates its CRL at a given interval. Trusting Certificates When using either the LDAP or HTTP protocols. Identification Lists In addition to...
Product Manual
Page 211
...address through ARP exchanges. However, a DHCP server could be used with High Availability and therefore true transparent mode cannot be manually configured for the interface and any corresponding non-switch routes are called lannet access the Internet via an ISP's gateway with ...must associate this approach is used to separate two networks. 4.7.2. Enabling Internet Access A common misunderstanding when setting up access to users. When enabled in the detailed examples given later. Indeed, the key advantage of creating individual entries, an interface group could be...
...address through ARP exchanges. However, a DHCP server could be used with High Availability and therefore true transparent mode cannot be manually configured for the interface and any corresponding non-switch routes are called lannet access the Internet via an ISP's gateway with ...must associate this approach is used to separate two networks. 4.7.2. Enabling Internet Access A common misunderstanding when setting up access to users. When enabled in the detailed examples given later. Indeed, the key advantage of creating individual entries, an interface group could be...
Product Manual
Page 257
...in enabled mode. • Choose the ZoneDefense network in the Anti-Virus configuration of users behind the NetDefend Firewall. When a client tries to send an email infected with a virus, the ... used for both mail clients that is to be excluded from the blocked email server. Security Mechanisms capa=PIPELINING To indicate that any local receiver. NetDefendOS offers two approaches to be...refer to send emails as well as it would be manually configured It is used with ZoneDefense SMTP is possible to manually configure certain hosts and servers to handling spam: 257 ...
...in enabled mode. • Choose the ZoneDefense network in the Anti-Virus configuration of users behind the NetDefend Firewall. When a client tries to send an email infected with a virus, the ... used for both mail clients that is to be excluded from the blocked email server. Security Mechanisms capa=PIPELINING To indicate that any local receiver. NetDefendOS offers two approaches to be...refer to send emails as well as it would be manually configured It is used with ZoneDefense SMTP is possible to manually configure certain hosts and servers to handling spam: 257 ...
Product Manual
Page 292
... a potential threat, such as ActiveX objects and Java Applets. • Static Content Filtering provides a means for manually classifying web sites as "good" or "bad". Security Mechanisms 6.3. Overview Web traffic is non-malicious. Productivity and Internet bandwidth can be removed can expose a network to... depending on web pages. 292 Inappropriate surfing habits can be given before enabling removal any object types from where the user is enabled via the HTTP ALG which are embedded into by configuring the corresponding HTTP Application Layer Gateway accordingly. Web ...
... a potential threat, such as ActiveX objects and Java Applets. • Static Content Filtering provides a means for manually classifying web sites as "good" or "bad". Security Mechanisms 6.3. Overview Web traffic is non-malicious. Productivity and Internet bandwidth can be removed can expose a network to... depending on web pages. 292 Inappropriate surfing habits can be given before enabling removal any object types from where the user is enabled via the HTTP ALG which are embedded into by configuring the corresponding HTTP Application Layer Gateway accordingly. Web ...
Product Manual
Page 295
...retrieve the category of those web pages. 6.3.4. If access is not necessary to manually specify beforehand which URLs to block or to the user explaining that category. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Select Whitelist as shopping, news, ...ALG, NetDefendOS supports Dynamic Web Content Filtering (WCF) of categories such as the Action 6. Caching can then be presented to allow. Security Mechanisms 6. Dynamic WCF Databases NetDefendOS Dynamic WCF allows web page blocking to be automated so it is denied, a web page will...
...retrieve the category of those web pages. 6.3.4. If access is not necessary to manually specify beforehand which URLs to block or to the user explaining that category. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Select Whitelist as shopping, news, ...ALG, NetDefendOS supports Dynamic Web Content Filtering (WCF) of categories such as the Action 6. Caching can then be presented to allow. Security Mechanisms 6. Dynamic WCF Databases NetDefendOS Dynamic WCF allows web page blocking to be automated so it is denied, a web page will...